> Please find attached to this note a copy of the draft CVE Simplified
> Counting Paper. The paper was originally prepared as an internal piece
> to help the CVE analysts orient their thinking, and we thought that it
> would be useful to share it with the Board as background before the
> Board meeting Wednesday afternoon.

Comments added.

At a high level, even more tolerance for assignment criteria, increased
assignment (by MITRE and/or CNAs) is necessary to keep up with reality.
A direct affect is an increased need for split/merge/reject cleanup.

Perhaps, vaguely reminiscent of CAN/CVE days, CVE entries get a flag
that can be set by MITRE or a CNA to distinguish "claimed
vulnerabilities, report looks plausible, public reference" from "vendor
acknowledged, or otherwise substantiated claim, public reference."
- Art

One thing to keep in mind I think is that at a high level CVE stands for "Common Vulnerabilities and Exposures", so obviously it's used to track vulns, but on the other side CVE is also heavily used to track remediation, be it software updates, workarounds, compensating controls, whatever. A good example of this is the search results: